New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 690507 link

Starred by 4 users
Status: Duplicate
Merged: issue 663971
Owner:
lgar...@chromium.org
Last visit > 30 days ago
Closed: Feb 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Moving View Certificate poses unreasonable burden on users to inspect certificates

Reported by michael....@ridgefieldsd.org, Feb 9 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce the problem:
1. Go to SSL/TLS Site 
2. Click the Lock icon in the URL Bar
3. View certificate is no longer available

What is the expected behavior?
Users should be able to easily view the certificate of the website they are on without having to navigate through developer tools, which may be disabled on managed devices.

What went wrong?
The UI team removed the "view certificate" link from the URL bar. Putting it in a place that some users cannot access.

Did this work before? Yes 54?

Chrome version: 56.0.2924.87  Channel: stable
OS Version: 6.3
Flash Version: Shockwave Flash 24.0 r0

Without this link it is very very difficult to check the authority chain of a websites certificate. This makes the web less safe when chrome was supposed to be making the internet more safe. Please either reinstate this link, or give users a more friendly method to view this vital information.

Comment 1 by ligim...@chromium.org, Feb 10 2017

Labels: Needs-Triage-M56
Can you please provide the website were you are seeing the issue.

Comment 2 by michael....@ridgefieldsd.org, Feb 10 2017 

Any TLS website. Including this very website. The UX Change has made it so you cannot click the lock icon and view the certificate of the website you are on.

Comment 3 by michael....@ridgefieldsd.org, Feb 10 2017 

Instead, it now gives a list of site settings, and a text snippet saying "Secure Connection. Your information (for example, passwords or credit card numbers) is private when it is sent to this site. Learn More)

The learn more link sends the user to a google page explaining what the secure/not secure icons mean. But it does not give the user the ability to view the certificate. Making users either go through a more strenuous process to view the certificate authority chain or follow a policy of "just trust the browser" which flys in the face of all security best practices.

Comment 4 by softwo...@hotmail.com, Feb 14 2017 

I agree that this is a critical issue. Users must be able to view a site's certificate with a single click.

In addition to the classical risks: Nowadays there are some AV products that are employing man-in-the-middle approaches using custom certificates. That's just one more reason not to hide certificate checking and validation from the user.

Comment 5 by kavvaru@chromium.org, Feb 15 2017

Components: -UI Internals>Network>Certificate
Labels: -Pri-2 -Needs-Triage-M56 M-56 hasbisect OS-Linux OS-Mac Pri-1
Owner: lgar...@chromium.org
Status: Assigned (was: Unconfirmed)
Able to reproduce the issue on windows 7, Linux Ubuntu 14.04 and Mac 10.12.3 using chrome version 56.0.2924.87  and canary 58.0.3011.0.
This is regression issue broken in M56.Please find the bisect information as below

Narrow Bisect::
Good:: 56.0.2924.12  -- (build revision  433059
Bad:: 56.0.2924.14  --  (build revision  433059)

Unable to provide the tool bisect as the good and bad builds are from branch builds.hence providing manual CL from the omahaproxy

https://chromium.googlesource.com/chromium/src/+log/56.0.2924.12..56.0.2924.14?pretty=fuller&n=10000

Possible suspect::
https://codereview.chromium.org/2543023002

lgarron@ Could you please check and provide more inputs on this issue.

Thanks,

Comment 6 by rsleevi@chromium.org, Feb 15 2017

Mergedinto: 663971
Status: Duplicate (was: Assigned)

Sign in to add a comment